Welcome to NBlog, the NoticeBored blog

The blogging will continue until morale improves

Jan 31, 2014

Network security awareness

Networking has played a pivotal role in the explosion of IT use in recent decades – first LANs and then WANs, most notably of course the Internet. Being an OF, I recall how it was in the dim and distant days prior to LANs, when computers were mostly accessed through directly connected teletype or green-screen terminals, and generally only by computer scientists sporting white labcoats and clipboards. Ordinary users - the lucky ones at least - interacted with Data Processing through the coding sheets for punched cards and fan-fold printouts.

Local Area Networks of various kinds were introduced to put terminals, and later PCs, directly in the hands of the users on site. Working in IT ie 80s, I saw rapid technological changes as wave after wave of networking protocols and standards rose and fell from grace. A dual-ring counter-rotating daisy-chain network from RACAL seemed cutting-edge at the time but was the bane of my life back then: supposedly it was resilient and self-healing, the "taps" being able to route traffic back around the other way if an upstream tap became unavailable. If the taps and cables weren't so inherently unreliable, it might have worked in practice as well as it did on paper.

The packet-routing capabilities of X.25 and TCP/IP enabled the first practical Wide Area Networks to pass-on traffic for distant nodes, and to re-route around obstacles such as overloaded or broken links. Once organizations started to interconnect entire networks and communities rather than individual computers and users, the social aspects started to come to the fore. As ARPANET, JANET and others morphed into the early Internet, dial-up modems, bulletin boards and a wonderful utility called Kermit enabled the benign hackers of the day to share and share alike. The net was a giant play pen cum classroom, where the technology was being actively developed, hacked and improved on the fly by some immensely talented individuals and groups, both professionals and amateurs.

Network security barely existed in those days: it was mostly computer security in fact, securing individual computers as if they were desert islands. The information security issues associated with networking today are many and varied. We may have thought we’d solved the availability issues of those unreliable early networks, and yet today we have wireless networks with intermittent coverage, and Denial of Service attacks are still occurring, some very significant and costly. Encrypting network traffic seems fairly straightforward, until we learn that the authorities have deliberately handicapped the protocols we trust, and anyway most network traffic is in clear.

Well fair enough, but aside from all those technical issues, what about the business angle on network security? Why should management care?

Organizations are facing the possibility of frauds, extortion, information theft and covert long-term infiltration of the corporation, as well as the business continuity aspects of network downtime. We have to deal with employees picking up viruses or giving away their passwords and other confidential information with gay abandon. There are strategic issues too such as network and security architectures, and governance issues such as putting the appropriate network security policies, teams and systems in place.

Ordinary employees may not really understand the technology, but when it comes to setting up their home networks and portable IT equipment, they need a basic appreciation of the security aspects, at least enough to ask for help if they can’t cope. They also need to realize that their use of corporate IT networking facilities is routinely logged and monitored, with obvious privacy implications as a consequence.

And then we come to the Internet of Things. I may be am a cynical OF but let's just say I was less than surprised to read recently about Internet-enabled fridges circulating spam already.

No comments:

Post a Comment

Hot topic

NBlogger is ...

Dr Gary Hinson PhD MBA CISSP has an abiding interest in human factors - the ‘people side’ as opposed to the purely technical aspects of information security. Gary's career stretches back to the mid-1980s as both practitioner and manager in the fields of IT system and network administration, information security and IT auditing. He has worked and consulted in the pharmaceuticals/life sciences, utilities, IT, engineering, defense, financial services and government sectors, for organizations of all sizes. Since 2003, he has been creating security awareness materials for clients (www.NoticeBored.com) and supporting users of the ISO27k standards (www.ISO27001security.com). In conjunction with Krag Brotby, he wrote "PRAGMATIC security metrics" (www.SecurityMetametrics.com). He is a keen radio amateur, often calling but seldom heard by distant stations on the HF bands.